Abstract
Model checking is an automated technique that can be used to determine whether a system satisfies certain required properties. The typical approach to verifying properties of software components is to check them for all possible environments. In reality, however, a component is only required to satisfy properties in specific environments. Unless these environments are formally characterized and used during verification (assume-guarantee paradigm), the results returned by verification can be overly pessimistic. This work introduces an approach that brings a new dimension to model checking of software components. When checking a component against a property, our modified model checking algorithms return one of the following three results: the component satisfies a property for any environment; the component violates the property for any environment; or finally, our algorithms generate an assumption that characterizes exactly those environments in which the component satisfies its required property. Our approach has been implemented in the LTSA tool and has been applied to the analysis of two NASA applications.
Article PDF
Similar content being viewed by others
Explore related subjects
Discover the latest articles, news and stories from top researchers in related subjects.Avoid common mistakes on your manuscript.
References
Aho, A.V., Hopcroft, J.E., and Ullman, J.D. 2000. Introduction to Automata Theory, Languages, and Computation. Addison-Wesley.
Alur, R., Henzinger, T., Mang, F., Qadeer, S., Rajamani, S., and Tasiran, S. 1998. Mocha: Modularity in model checking. In Proceedings of 10th International Conference on Computer Aided Verification (CAV), volume 1427 of Lecture Notes in Computer Science, Springer Verlag, pp. 521–525.
Alur, R., Henzinger, T.A., and Kupferman, O. 1997. Alternating-time temporal logic. In de Roever et al., pp. 23–60.
Aziz, A., Balarin, F., Brayton, R.K., Dibenedetto, M.D., Sladanha, A., and Sangiovanni-Vincentelli, A.L. 1995. Supervisory control of finite state machines. In P. Wolper, editor, 7th International Conference On Computer Aided Verification, vol. 939 of Lecture Notes in Computer Science. Liege, Belgium: Springer Verlag, pp. 279–292.
Balemi, S., Hoffmann, G., Gyugyi, P., Wong-Toi, H., and Franklin, G. 1993. Supervisory control of a rapid thermal multiprocessor. IEEE Transactions on Automatic Control, 38(7):1040–1059, 1993.
Cheung, S. and Kramer, J. 1996. Context constraints for compositional reachability analysis. ACM Transactions on Software Engineering and Methodology, 5(4):334–377.
Cheung, S. and Kramer, J. 1999. Checking safety properties using compositional reachability analysis. ACM Transactions on Software Engineering and Methodology, 8(1):49–78.
Clarke, E.M., Grumberg, O., and Peled, D. 2000. Model Checking. MIT Press.
Cobleigh, J.M., Giannakopoulou, D., and Păsăreanu, C.S. 2003. Learning assumptions for compositional verification. In Proceedings of the 9th International Conference on Tools and Algorithms for Construction and Analysis of Systems (TACAS).
de Alfaro, L. and Henzinger, T. 2001. Interface automata. In Proc. of the Joint 8th European Software Engineering Conference and 9th ACM SIGSOFT International Symposium on Foundations of Software Engineering (ESEC/FSE), ACM Press.
de Alfaro, L. and Henzinger, T. 2001. Interface theories for component-based design. In Proceedings of EMSOFT 01: Embedded Software, volume 2211 of Lecture Notes in Computer Science, Springer Verlag, pp. 148–165.
de Roever, W.-P. 1997. The need for compositional proof systems: A survey. In de Roever et al., pp. 1–22.
de Roever, W.P., de Boer, F., Hanneman, U., Hooman, J., Lakhnech, Y., Poel, M., and Zwiers, J. 2001. Concurrency Verification: Introduction to Compositional and Non-compositional Methods. Cambridge University Press.
de Roever, W.-P., Langmaack, H., and Pnueli, A. (ed.) 1997. Compositionality: The Significant Difference - An International Symposium, COMPOS’97, volume 1536 of Lecture Notes in Computer Science. Springer-Verlag.
di Benedetto, M. and Sangiovanni-Vincentelli, A. 2001. Model matching for finite-state machines. IEEE Transactions on Automatic Control, 46(11):1726–1743.
Flanagan, C., Freund, S., and Qadeer, S. 2002. Thread-modular verification for shared-memory programs. In Proceedings of the European Symposium on Programming.
Giannakopoulou, D., Kramer, J., and Cheung, S. 1999. Analysing the behaviour of distributed systems using Tracta. Journal of Automated Software Engineering, special issue on Automated Analysis of Software, 6(1):7–35.
Giannakopoulou, D., Păsăreanu, C.S., and Barringer, H. 2002. Assumption generation for software component verification. In Proceedings of the 17th IEEE International Conference on Automated Software Engineering.
Graf, S., Steffen, B., and Lüttgen, G. 1996. Compositional minimisation of finite state systems using interface specifications. Formal Aspects of Computation, 8.
Haghverdi, E. and Ural, H. 1999. Submodule construction from concurrent system specifications. Information and Software Technology, 41:499–506.
Havelund, K. and Rosu, G. 2001. Monitoring Java programs with Java pathexplorer. In First Workshop on Runtime Verification (RV’01), volume 55(2) of Electronic Notes in Theoretical Computer Science, Paris, France.
Havelund, K., Lowry, M., and Penix, J. 2001. Formal analysis of a space craft controller using SPIN. In IEEE Transactions on Software Engineering, Vol. 27, Num. 8.
Holzmann, G. 1991. The Design and Validation of Computer Protocols. Prentice Hall.
Inverardi, P., Wolf, A., and Yankelevich, D. 2000. Static checking of system behaviors using derived component assumptions. ACM Transactions on Software Engineering Methods, 9(3):239–272.
Jones, C. 1983. Tentative steps towards a development method for interfering programs. ACM Transactions on Programming Languages and Systems, 5(4):596–619.
Khatri, S., Narayan, A., Krishnan, S., McMillan, K., Brayton, R., and Sangiovanni-Vincentelli, A. 1996. Engineering change in a non-deterministic FSM setting. In Proceedings of 33rd IEEE/ACM Design Automation Conference.
Krimm, J.-P. and Mounier, L. 1997. Compositional state space generation from LOTOS programs. In E. Brinksma, editor, 3rd International Workshop on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’97), volume 1217 of Lecture Notes in Computer Science. Enschede, The Netherlands: Springer.
Larsen, K. and Thomsen, B. 1988. A modal process logic. In Proceedings of the IEEE/ACM Conference on Logic in Computer Science, LICS’88.
Larsen, K. and Xinxin, L. 1990. Equation solving using modal transition systems. In Proceedings of the IEEE/ACM Conference on Logic in Computer Science, LICS’90.
Magee, J., Dulay, N., and Kramer, J. 1994. Regis: A constructive development environment for parallel and distributed programs. Distributed Systems Engineering Journal, Special Issue on Configurable Distributed Systems, 1(5):304–312.
Magee, J., and Kramer, J. 1999. Concurrency: State Models & Java Programs. John Wiley & Sons.
Magee, J., Kramer, J., and Giannakopoulou, D. 1999. Behaviour analysis of software architectures. In 1st Working IFIP Conference on Software Architecture (WICSA1): San Antonio, TX, USA.
Magee, J., Pryce, N., Giannakopoulou, D., and Kramer, J. 2000. Graphical animation of behavior models. In Proceedings of the 22nd International Conference of Software Engineering (ICSE).
Merlin, P., and Bochmann, G.V. 1983. On the construction of submodule specification and communication protocols. ACM Transactions on Programming Languages and Systems, 5:1–25.
Milner, R. 1989. Communication and Concurrency. Prentice-Hall.
Parrow, J. 1989. Submodule construction as equation solving CCS. Theoretical Computer Science, 68:175–202.
Păsăreanu, C.S., Dwyer, M.B., and Huth, M. 1999. Assume-guarantee model checking of software: A comparative case study. In D. Dams, R. Gerth, S. Leue, and M. Massink, editors, Theoretical and Practical Aspects of SPIN Model Checking, volume 1680 of Lecture Notes in Computer Science. Springer-Verlag, pp. 168–183.
Pnueli, A., 1984. In transition from global to modular temporal reasoning about programs. In K. Apt, editor, Logic and Models of Concurrent Systems, volume 13, New York: Springer-Verlag.
Pell, B., Gat, E., Keesing, R., Muscettola, N., and Smith, B. 1997. Plan execution for autonomous spacecrafts. In Proc. of the Int. Joint Conf. on Artificial Intelligence.
Shields, M. 1989. A note on the simple interface equation. The Computer Journal, 32(5):399–412.
Sidhu, D.P. and Aristizabal, J. 1988. Constructing submodule specifications and network protocols. IEEE Transactions on Software Engineering, 14(11):1565–1577.
Stølen, K. 1991. A method for the development of totally correct shared-state parallel programs. In J. Baeten and J. Groote, editors, Proceedings of Concur’91, volume 527 of Lecture Notes in Computer Science. Springer Verlag.
Tronci, E. 1998. Automatic synthesis of controllers from formal specifications. In Proc. of 2nd IEEE Int. Conf. on Formal Engineering Methods. Brisbane, Australia.
Xu, Q., de Roever, W.-P., and He, J. 1997. The rely-guarantee method for verifying shared variable concurrent programs. Formal Aspects of Computing, 9(2):149–174.
Author information
Authors and Affiliations
Corresponding author
Additional information
This paper is an expanded version of Giannakopoulou et al. (2002).
Rights and permissions
About this article
Cite this article
Giannakopoulou, D., Păsăreanu, C.S. & Barringer, H. Component Verification with Automatically Generated Assumptions. Autom Software Eng 12, 297–320 (2005). https://doi.org/10.1007/s10515-005-2641-y
Issue Date:
DOI: https://doi.org/10.1007/s10515-005-2641-y